IoT Security: Don’t Sacrifice Data for Usability
By Christos Kalantzis
Over the last decade, we’ve seen truly innovative developments bring us to today’s internet of things (IoT). With the advent of inexpensive sensor components and systems on a chip (SoCs), as well as the new programming techniques and tools that share, analyze and process large amounts of data almost instantaneously,
it is no surprise that the IoT landscape has taken off as it has. There are what feels like an indefinite amount of potential use cases, from tracking user shopping habits in a mall to monitoring medical sensor data in hospitals. The tools exist today to automatically (or with very little effort) gather data and use it to improve whatever workflow you’re looking to optimize.
With so much opportunity, there is also great risk. There is a lot of responsibility that comes with vetting and choosing IoT vendors. Your data, and more importantly your customers’ data, is flowing through those devices. It’s critical to make sure that data is as secure as possible.
Choose a Reputable IoT Device Vendor
The aforementioned ubiquity of devices means that there are a plethora of options available at different price points. While it can be tempting to save money and choose a more inexpensive vendor (and inexpensive doesn’t always mean bad), it may be an indicator that the vendor is cutting some corners when it comes to long-term support of devices.
IoT devices are often built on libraries and common platforms, such as Android or another device OS/firmware. In the vetting process, make sure the IoT devices have been penetration-tested and aren’t easy targets for cybercriminals. Hackers only need to get into one device to get access to an entire IoT network. When deciding on a vendor, make sure it is committed to its hardware and plans on offering security updates to the devices.
Trust but Verify for IoT Security
Once IoT devices are deployed, you must think about them like computers or servers on your network. As such, whatever security or vulnerability management program you have in place needs to be extended to these devices. The nature of these devices is such that data usually flows to a very specific target. Whenever possible, adjust your network’s firewall rules to limit the devices’ traffic to the intended target. This will help prevent data going to an unauthorized third party in the case of a device hijacking and help mitigate any possible damage. Monitoring the devices’ network traffic patterns for anomalies is also a good idea. Although a firewall will prevent data from escaping, you would want to know if the devices are compromised so that you can disable and address them with your device vendor.
The Back End Is as Important as the Front
Devices are just one part of the IoT equation. The IoT platform used is just as important, and potentially vulnerable, as the devices. The variety of infrastructure necessary to process that data and make it available in some kind of consumable form is complex and can often be daunting to secure and maintain running. This is why it is preferred to use platforms from reputable vendors, which are motivated to keep your data secure while providing you a platform to focus on your IoT project.
Further vetting, however, may be required to make sure you comply with your local laws and regulations. For example, HIPAA compliance may be necessary if you’re processing medical data, or local governance laws may require that data remain within certain borders. Big, recognizable names do not automatically equal compliance. Make sure to do your homework and find out what gaps need to be filled to remain compliant.
“Revolutionary” is a term thrown about a lot to describe technological advancements. In the case of IoT, that term is well-deserved. The ability to collect and process data in real-time to identify patterns to allow for quick decisions and adjustments to a strategy is a game-changer for many lines of business. However, we cannot forget that bad actors recognize the value of this data as well. They also recognize IoT as a new vector to infiltrate a corporate network.
Choosing the right IoT vendor and partner could mean the difference between becoming a billion-dollar business or a cautionary tale. Proceed with care.